[=-=-=-=-=-=-=-=] Question/Answer [=-=-=-=-=-=-=-=]
Q1: Identify the intrusion method, its date, and time. (Assume the
clock on the IDS was synchronized with an NTP reference time
source.)
A1: According to IDS logs, the attack took place at Nov 7, 23:11:[06-51].
As IDS is authoritative source of timestamp(s), this suggests that the
compromised system's time was cca. one hour ahead of real time.
The attacker used rpc.statd vulnerability (for further analysis, see
shellcode.txt). This was logged by both IDS and found in the
(reconstructed) /var/log/messages.
Q2: Identify as much as possible about the intruder(s).
A2: There is no evidence that there was more than one attacker, so
we can suppose that the system was attacked by one (most probably
human = non-necessarily-automatic) attacker (I'll use masculine
when referring to the attacker).
According to the gained information, he came from (probably compromised)
hosts in @Home network. The attack itself (actual exploitation of the
vulnerability) was originated from 216.216.74.2. This has been logged
by both IDS and the attacked host (/var/log/messages, /var/log/secure).
Once the honeypot has been compromised, the attacker connected after
more than 8 hours from .home.com address (24.12.200.186). This can
be found in the recovered /var/log/{messages,lastlog} and /proc/net/tcp.
IDS logs also suggest that attacker is 22 hops away from us, because
default Linux TTL equals to 64, while the TTL of received packet
was only 42.
A quick look using nslookup and whois yields these results:
216.216.74.2 = ATHM-216-216-xxx-2.home.net
24.12.200.186 = c871553-b.jffsn1.mo.home.com
Advanced Commerce Systems (NETBLK-ATWORK-WI33381)
5910 N. Central Expressway, Suite 1040
Dallas, TX 75206
US
Netname: ATWORK-WI33381
Netblock: 216.216.74.0 - 216.216.74.15
Coordinator:
Anderson, Michael J. (MJA-ARIN) mianders@ADVANCEDCOMMERCE.COM
214-891-6306
Record last updated on 26-Jul-1999.
Database last updated on 5-Feb-2001 06:24:46 EDT.
@Home Network (NETBLK-CLMBA1-MO-1)
425 Broadway
Redwood City, CA 94063
US
Netname: CLMBA1-MO-1
Netblock: 24.12.192.0 - 24.12.207.255
Coordinator:
Operations, Network (HOME-NOC-ARIN) noc-abuse@noc.home.net
(650) 556-5599
Record last updated on 15-Nov-1999.
Database last updated on 5-Feb-2001 06:24:46 EDT.
From the used attack methodology and below-average steps taken to
cover his tracks, conclusions can be made about attacker's profile.
Please keep in mind that following description is a COMPLETE GUESS.
He is so-called script kiddie - a person, who downloads exploits/
rootkits/other tools (and is unable to write anything of his own),
combines them (often ineffinciently) and then attacks every machine
he finds. Usually, he installs eggdrop or similar IRC-(ro)bot on
the compromised machine.
Q3: List all the files that were added/modified by the intruder.
Provide an analysis of these programs (including decompilation or
disassembly where necessary to determine their function and role
in the incident.)
A3: Most of these files are analysed in rkit.txt.
Q4: Was there a sniffer or password harvesting program installed? If
so, where and what files are associated with it?
A4: Yes, there was a password harvester in SSH daemon. SSH daemon
(/usr/local/sbin/sshd) was replaced with a trojaned version, which
logged every name and password into /usr/tmp/nap file (which is,
according to its name, usually associated with Napster). Thanks
to this `feature', we know the universal SSH password (from /usr/
var/nap). This password is `tw1Lightz0ne' and it can be found
hashed in the sshd executable. Besides that, there was also an ethernet
sniffer installed as a running process, but unlike sshd, the sniffer
would not survive reboot of the machine. This sniffer writes its
output into /usr/man/.Ci/tcp.log
Q5: Was there a "rootkit" or other post-concealment trojan horse
programs installed on the system? If so, what operating system
programs were replaced and how could you get around them? Hint: If
you don't know what a "rootkit" is, read this:
A5: Yes, there was a rootkit installed and its analysis is available
in a separate file (rkit.txt). Getting around the trojaned
system binaries could be accomplished in at least three different
ways:
1) Mounting a cdrom with clean set of statically compiled binaries
and using them instead of the trojaned ones.
2) Using the binaries from /usr/man/.Ci/backup - originals of the
trojaned ones.
3) Most of the configuration files for the binaries have not been
carefully configured, so simple ls -la /usr/man would show
.Ci directories and as soon as the directory of trojan is found
it wouldn't be that difficult to get rid of it.
Q6: What is publicly known about the source of any programs found on
the system? (e.g., their authors, where source code can be found,
what exploits or advisories exist about them, etc.)
A6: The system was a standard RedHat 6.2 installation, which contained
the rpc.statd vulnerability. The attacker has fixed this (and also
other possible) vulnerability by installing upgraded version of
the packages.
Q7: Build a time line of events and provide a detailed analysis of
activity on the system, noting sources of supporting or confirming
evidence (elsewhere on the system or compared with a known "clean"
system of similar configuration.)
A7: The timeline is available in timeline.txt.
-----------------------------------------------------------------------------
Q8: Provide a report suitable for management or news media (general
aspects of the intrusion without specific identifying data).
A8: I'm more technically-oriented = I'm not able to write something
general about the intrusion without referring to actual data
gained during the analysis. But if I really had to write something
suitable for media, I'd tell some facts about the attacker -
- that did not damage any data (=no information leak... but I even
don't know what so important could be stored on this computer,
because it was not meant to be a server, just a workstation).
- that after the attack, he had closed some of the vulnerabilities
of the system, in order to prevent other from attacking it again.
Q9: Provide an advisory for use within the home organization (a
fictitious university, "honeyp.edu", in this case, where I hold an
honorary Doctorate, by the way) to explain the key aspects of the
vulnerability exploited, how to detect and defend against this
vulnerability, and how to determine if other systems were
similarly compromised.
A9: Available in advisory.txt.
Q10: Produce a cost-estimate for this incident using the following
guidelines and method:
To simplify and to normalize the results, assume that your annual
salary is $70,000 and that there are no user-related costs. (If
you work as a team, break out hours by person, but all members
should use the same annual salary. Please also include a brief
description of each investigator's number of years of experience
in the fields of system administration, programming, and security,
just to help us compare the number of hours spent with other
entrants).
A10: I'm not able to answer this question, because the annual salary
of $70,000 is far (by a factor of more than 10) more than the wages
around here. Thus every estime I'd have produced would be a complete
guess and thus good-for-nothing.
The time I spent with this analysis is around two days (48+-1 hour).
For three years (as a student) I helped (=volunteered) with the
highschool's network. Thus, I spent about three years in the field
of security and system administration. As for the programming, it
about thrice as much (=>9 years).